Re: Capturing X509 certificate and storing them using the Windows Certificates API

2005-07-07 Thread Rajeshwar Singh Jenwar 
Hi
Just try this.
Generating Certificates for Windows Clients
When generating certicates forWindows clients you have to make sure
that the lifetime
of the certicate lies within the lifetime of the CA. If the lifetime
of the certicate
exceeds the lifetime of the CA, the windows client will not accept the
certicate!
The easiest way to transfer certicates to a windows box is by using the PKCS#12
exchange format. Openssl can reformat the certicates to this format:
$ openssl pkcs12 -export -inkey key.pem -in cert.pem -certfile
cacert.pem -out export.p12

enjoy.

On 7/7/05, Pj <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> My application needs to support Non-repudiation using X509 certificates ala
> AS2.
> 
> Has anyone had the pleasure of storing X509 client and server certificates
> in the windows certificate registry / database? And if so, whats the best
> place to start to convert X509 to the windows format?
> 
> Thanks!
> Pj.
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.9/42 - Release Date: 6/07/2005
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Batch mode for ENGINE_load_private_key

2005-07-07 Thread Bartek Palak 




Hi All,

Does anybody know how to make function ENGINE_load_private_key working
in batch (not interactive) mode?

I am using nCipher hardware module and CHIL engine library. 




Unfortunately standard "hwcrhk_get_pass" and "
hwcrhk_insert_card" functions use "ui methods" for interacting with user
(asking about pass, printing error messages, etc). I am writing batch
application, so any interaction with user is impossible.


Another problem is, that in case of any errors (e.g. incorrect
password) this function are called in a loop. 


There is any possibility to "unset" UI_CTRL_IS_REDOABLE flag?

Any help will be appreciated.

regards
Bartek Palak

Re: question about ssl

2005-07-07 Thread Jostein Tveit 
amineh salehi <[EMAIL PROTECTED]> writes:

> in the ciphersuites defined for it in "rfc2246"( TLS1.0), there isn't
> diffi-helman key exchange, why? 

RFC 2246 specifies many DH key exchange cipher suites. Have a
look at page 61.

>  What is the soulotion for vulnerability in anonymous key exchange pointed
> by Bruce Schneier (analysis of ssl,1996) ?

Do you mean "Analysis of the SSL 3.0 protocol" by Wagner and
Schneier?

If this is the paper you are talking about, you may have an old
version. The version revised April 15, 1997, states that this was
a typo in the standard, and that the designers intended that the
signature be omitted entirely.

-- 
Jostein Tveit <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Capturing X509 certificate and storing them using the Windows Certificates API

2005-07-07 Thread Dr. Stephen Henson 
On Thu, Jul 07, 2005, Pj wrote:

> Hi all,
> 
> My application needs to support Non-repudiation using X509 certificates ala
> AS2.
> 
> Has anyone had the pleasure of storing X509 client and server certificates
> in the windows certificate registry / database? And if so, whats the best
> place to start to convert X509 to the windows format?
> 

Do you mean the database use by MSIE et al? If so then there are two options.

If you want to install the certificate *and* private key use PKCS#12 format,
the OpenSSL pkcs12 utility and APIs can do that. Use a .pfx oro .p12 extension
if you want Windows to recognise the file type automatically, 

If you want to install just the certificate (not sure why you'd want to do
that with a server certificate: you should store its CA) then use DER format
AND NOT PKCS#12!! The reason for the emphasis is in the FAQ. Use an appropriate
extension such as .crt.

If you want to install these manually then use the certificate import wizard
from MSIE or just double click on them.

If you want to install them programatically then you'll need to use CryptoAPI.
Details in the MS docs.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Expire time of session resumption...

2005-07-07 Thread Céline HAY 
Hi,

I'm testing a SSL client with the server of openssl command line tool.
I want to test the comportement of my client for the session
resumption.
How can I change the expire time (of the session resumption) of the
openssl server ?

Thanks a lot,

Céline
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

How to convert a pfx (pkcs12) file into pkcs7?

2005-07-07 Thread Reiner Nix 
Hi,

I have a pfx (pkcs12) file from a browser with a key but need a pkcs7 file to 
use it for Java.

How can I convert the key?


Thanks,
Reiner Nix
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

0.9.8 on OS X (Tiger) (10.4.1)

2005-07-07 Thread Joseph Bruni 
I think I found the problem installing on OS X. In the ./engines/Makefile, in 
the "install" target, the script makes the assumption that shared library files 
are named *.so, whereas they are named *.dylib on Darwin.

There is even a comment to that effect in the Makefile:

# X This currently only works on systems that use .so as suffix
# for shared libraries as well as for Cygwin which uses the
# dlfcn_name_converter and therefore stores the engines with .so suffix, too.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Loading a PKCS7 SignedData structure with d2i_PKCS7_fp

2005-07-07 Thread Fred Anderson 
I have a binary file with a DER-encoded SignedData structure in it. I
can use the following command:

$ openssl pkcs7 -inform DER -in pt2.out -print_certs -text

and I get all sorts of expected information about the certificate in
the structure, which indicates to me that the file's in the right
format.

I'm trying to load the SignedData into a PKCS7, so I can use the
PKCS7_verify function to verify the signature in it. To do that, I'm
calling d2i_PKCS7_fp. I receive no errors, but my PKCS7 is still
empty.

Here's the code I'm using:

  FILE *fp = fopen("pt2.out","rb");
  PKCS7 *p7 = NULL;

  ERR_load_PKCS7_strings();
  ERR_load_X509_strings();

  p7 = d2i_PKCS7_fp(fp,NULL);

(I've also tried "p7 = d2i_PKCS7_fp(fp,&p7);" with the same results)

Printing p7->detached and p7->length both show a zero. Calling
PKCS7_verify with p7 gives a segmentation fault, while calling it with
NULL returns a 0 (failure).

I can't seem to find any real documentation on using the d2i_PKCS7_fp
function, so I suspect I'm just doing something wrong. Can someone
point me to something that gives a little explanation on using the
function, or show me an example of using it?

Thanks in advance,
Fred
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Loading a PKCS7 SignedData structure with d2i_PKCS7_fp

2005-07-07 Thread Dr. Stephen Henson 
On Thu, Jul 07, 2005, Fred Anderson wrote:

> I have a binary file with a DER-encoded SignedData structure in it. I
> can use the following command:
> 
> $ openssl pkcs7 -inform DER -in pt2.out -print_certs -text
> 
> and I get all sorts of expected information about the certificate in
> the structure, which indicates to me that the file's in the right
> format.
> 
> I'm trying to load the SignedData into a PKCS7, so I can use the
> PKCS7_verify function to verify the signature in it. To do that, I'm
> calling d2i_PKCS7_fp. I receive no errors, but my PKCS7 is still
> empty.
> 
> Here's the code I'm using:
> 
>   FILE *fp = fopen("pt2.out","rb");
>   PKCS7 *p7 = NULL;
> 
>   ERR_load_PKCS7_strings();
>   ERR_load_X509_strings();
> 
>   p7 = d2i_PKCS7_fp(fp,NULL);
> 
> (I've also tried "p7 = d2i_PKCS7_fp(fp,&p7);" with the same results)
> 
> Printing p7->detached and p7->length both show a zero. Calling
> PKCS7_verify with p7 gives a segmentation fault, while calling it with
> NULL returns a 0 (failure).
> 
> I can't seem to find any real documentation on using the d2i_PKCS7_fp
> function, so I suspect I'm just doing something wrong. Can someone
> point me to something that gives a little explanation on using the
> function, or show me an example of using it?
> 

If you get a non-NULL return from d2i_PKCS7_fp() the structure should be
basically OK. How are you calling PKCS7_verify?

You can perform this operation using the 'openssl smime' for example:

openssl smime -verify -inform DER -in whatever.der

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

ECC & EVP Interface Broken?

2005-07-07 Thread Ladar Levison 



The code below works when I use the RSA key generation functions, but when I try
to generate an ECC key, and use it, it doesn't work. I am using 0.9.8 beta 6.

I'm not sure if this is a result of my lack of understanding about ECC, or the
implementation is broken, hence my post to `users` and not `dev`.

Does anyone know of a good tutorial for using OpenSSL to do ECC encryption? I
haven't found anything on Google.

On a side note, I understand that the session key is stored in `ek`, but what I
don't know is whether that session key is encrypted using the public ECC key. If
so, then it doesn't need to be protected, only the ECC private key needs to be
protected. Can someone confirm this for me?

Thanks,

L~

#include 
#include 
#include 
#include 
#include 

int main() {

char *string = "This is the string we are trying to encrypt.";
printf("Unencoded string = {%s}\n", string);

/*
RSA *key = RSA_generate_key(1024, RSA_F4, NULL, NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, key);
*/


EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (group == NULL) {
printf("Could not get group.\n");
return 0;
}
EC_KEY *key = EC_KEY_new();
if (key == NULL) {
printf("Could not generate an EC key structure.\n");
return 0;
}
if (EC_KEY_set_group(key, group) == 0) {
printf("EC Group association failed.\n");
return 0;
}
if (EC_KEY_generate_key(key) == 0) {
printf("EC Key Generation failed.\n");
return 0;
}
EVP_PKEY *pkey = EVP_PKEY_new();
if (EVP_PKEY_assign_EC_KEY(pkey, key) == 0) {
printf("Could not associate the EC key with PKEY.\n");
return 0;
}

char iv[EVP_MAX_IV_LENGTH];
RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);

EVP_CIPHER_CTX ctx;
int out_len = EVP_PKEY_size(pkey);
int npubk = 1;
unsigned char **ek = (unsigned char **)malloc(sizeof(unsigned char *) * 
npubk);
ek[0] = (unsigned char *) malloc(EVP_PKEY_size(pkey));
EVP_SealInit(&ctx, EVP_aes_256_cbc(), ek, &out_len, &iv[0], &pkey, 
npubk);

int buf_len = 500;
unsigned char buf[buf_len];
EVP_SealUpdate(&ctx, &buf[0], &buf_len, string, strlen(string));

int i;
int tot_len = buf_len;
printf("Encoded string = {");
for (i = 0; i < buf_len; i++) {
printf("%02x", buf[i]);
}

EVP_SealFinal(&ctx, &buf[buf_len], &buf_len);
for (i = 0; i < buf_len; i++) {
printf("%02x", buf[i + tot_len]);
}
printf("}\n");

EVP_OpenInit(&ctx, EVP_aes_256_cbc(), *ek, out_len, &iv[0], pkey);

char de_string[1000];
int de_len = 1000;
EVP_OpenUpdate(&ctx, de_string, &de_len, &buf[0], tot_len + buf_len);
tot_len = de_len;
EVP_OpenFinal(&ctx, &de_string[tot_len], &de_len);
de_string[tot_len + de_len] = '\0';


printf("Unencoded string = {%s}\n", de_string);

return 0;
}


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: ECC & EVP Interface Broken?

2005-07-07 Thread Dr. Stephen Henson 
On Thu, Jul 07, 2005, Ladar Levison wrote:

> 
> 
> The code below works when I use the RSA key generation functions, but when 
> I try
> to generate an ECC key, and use it, it doesn't work. I am using 0.9.8 beta 
> 6.
> 
>   EVP_SealInit(&ctx, EVP_aes_256_cbc(), ek, &out_len, &iv[0], &pkey, 
>   npubk);
>   

That's your problem there. Key transport (which EVP_SealInit uses) can only be
done with RSA keys.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Loading a PKCS7 SignedData structure with d2i_PKCS7_fp

2005-07-07 Thread Fred Anderson 
Steve,

Thanks for the reply. I was able to verify the signature using
"openssl smime" like you suggested, and the d2i_PKCS7_fp function is
returning a non-null value.

I'm thinking now that the problem may be in the BIO structures I'm
creating and passing to the verify function. Here's what I have:

  int ret;
  FILE *fp = fopen("pt2.out","rb");
  int fd = open("data.out",O_RDONLY);
  BIO *In, *Out;
  PKCS7 *p7 = NULL;


  p7 = d2i_PKCS7_fp(fp,NULL);

  In = BIO_new_fd(fd,BIO_NOCLOSE);
  Out = BIO_new(BIO_s_null());

  ret = PKCS7_verify(p7,NULL,NULL,In,Out,0);
  printf("Call returned %d\n",ret);


where 'fd' is a file descriptor to a file containing the data
(detached) for the signature I wish to verify. As the code stands, the
PKCS7_verify is segfaulting.

My apologies if this is basic stuff; I'm still a beginner with OpenSSL
coding and having a hard time finding docs to explain the usage of the
calls and how the calls all tie together.

Thanks again,
Fred

On 7/7/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 07, 2005, Fred Anderson wrote:
> 
> > I have a binary file with a DER-encoded SignedData structure in it. I
> > can use the following command:
> >
> > $ openssl pkcs7 -inform DER -in pt2.out -print_certs -text
> >
> > and I get all sorts of expected information about the certificate in
> > the structure, which indicates to me that the file's in the right
> > format.
> >
> > I'm trying to load the SignedData into a PKCS7, so I can use the
> > PKCS7_verify function to verify the signature in it. To do that, I'm
> > calling d2i_PKCS7_fp. I receive no errors, but my PKCS7 is still
> > empty.
> >
> > Here's the code I'm using:
> >
> >   FILE *fp = fopen("pt2.out","rb");
> >   PKCS7 *p7 = NULL;
> >
> >   ERR_load_PKCS7_strings();
> >   ERR_load_X509_strings();
> >
> >   p7 = d2i_PKCS7_fp(fp,NULL);
> >
> > (I've also tried "p7 = d2i_PKCS7_fp(fp,&p7);" with the same results)
> >
> > Printing p7->detached and p7->length both show a zero. Calling
> > PKCS7_verify with p7 gives a segmentation fault, while calling it with
> > NULL returns a 0 (failure).
> >
> > I can't seem to find any real documentation on using the d2i_PKCS7_fp
> > function, so I suspect I'm just doing something wrong. Can someone
> > point me to something that gives a little explanation on using the
> > function, or show me an example of using it?
> >
> 
> If you get a non-NULL return from d2i_PKCS7_fp() the structure should be
> basically OK. How are you calling PKCS7_verify?
> 
> You can perform this operation using the 'openssl smime' for example:
> 
> openssl smime -verify -inform DER -in whatever.der
> 
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: ECC & EVP Interface Broken?

2005-07-07 Thread Ladar Levison 

Dr. Stephen Henson wrote:

On Thu, Jul 07, 2005, Ladar Levison wrote:




The code below works when I use the RSA key generation functions, but when 
I try
to generate an ECC key, and use it, it doesn't work. I am using 0.9.8 beta 
6.


	EVP_SealInit(&ctx, EVP_aes_256_cbc(), ek, &out_len, &iv[0], &pkey, 
	npubk);





That's your problem there. Key transport (which EVP_SealInit uses) can only be
done with RSA keys.

Steve.


This might be a dumb question, but what is `key transport` and why doesn't ECC 
support it?


Is this is a case where OpenSSL implementation of ECC doesn't support it, or 
where ECC isn't a suitable algorithim to use for envelope encryption?


L~


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Apache 2.0 + ssl + client cert + server cert

2005-07-07 Thread Fco .J. Arias 
Hello, I already solve the problem, seems that de message debug:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned

is false or incorrect, the correct debug message could be:

:sorry I can't verify the client certificate, I do not know the CA.
 
Thanks a lot. Fran

O Mér, 2005-07-06 ás 23:57, Joseph Bruni escribiu:
> Is your client sending only its certificate, or are you sending the entire 
> certificate chain?
> It looks like your server is unable to rebuild the cert. chain from the 
> client to the root.
> 
> 
> 
> -Original Message-
> From: "Fco .J. Arias" <[EMAIL PROTECTED]>
> Sent: Jul 6, 2005 2:47 PM
> To: openssl-users@openssl.org
> Subject: Apache 2.0 + ssl + client cert + server cert
> 
> Hello I'm trying to use apache with client auth, but I can't. The
> problem is in logs errors:
> 
> .
> .
> .
> before other CA
> a, B ,C ,D, E, F are strings
> .
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
> Team/CN=www.foo.com/[EMAIL PROTECTED]
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
> Team/CN=www.foo.com/[EMAIL PROTECTED]
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
> CA/[EMAIL PROTECTED]
> 
> .
> .
> .
> [Wed Jul 06 21:57:34 2005] [debug] ssl_engine_kernel.c(1210):
> Certificate Verification: depth: 0, subject:
> /C=A/ST=B/L=C/O=None/OU=None/CN=Fran D, /[EMAIL PROTECTED],
> issuer: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
> CA/[EMAIL PROTECTED]
> [Wed Jul 06 21:57:44 2005] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1790): OpenSSL:
> Write: SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [info] SSL library error 1 in handshake
> (server www.foo.com:8443, client 192.168.0.2)
> [Wed Jul 06 21:57:44 2005] [info] SSL Library Error: 336105650
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned
> [Wed Jul 06 21:57:44 2005] [info] Connection to child 2 closed with
> abortive shutdown(server www.foo.com:8443, client 192.168.0.2)
> 
> 
> Anyone know How to solve this problem?
> 
> 
> 
> It's posible get datum of certificates(like CN of client or server) into
> Apache C API?
> 
> Thanks, Fran.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

0.9.8 on OS X (Tiger) (10.4.1)

2005-07-07 Thread Joseph Bruni 
One last update on getting 0.9.8 to build on OS X. As long as I do NOT try to 
build "shared" then everything builds okay.

Now if only I could get Xcode to actually use the static libraries...

-Joe

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: ECC & EVP Interface Broken?

2005-07-07 Thread Dr. Stephen Henson 
On Thu, Jul 07, 2005, Ladar Levison wrote:

> Dr. Stephen Henson wrote:
> >On Thu, Jul 07, 2005, Ladar Levison wrote:
> >
> >
> >>
> >>The code below works when I use the RSA key generation functions, but 
> >>when I try
> >>to generate an ECC key, and use it, it doesn't work. I am using 0.9.8 
> >>beta 6.
> >>
> >>EVP_SealInit(&ctx, EVP_aes_256_cbc(), ek, &out_len, &iv[0], &pkey, 
> >>npubk);
> >>
> >
> >
> >That's your problem there. Key transport (which EVP_SealInit uses) can 
> >only be
> >done with RSA keys.
> >
> 
> This might be a dumb question, but what is `key transport` and why doesn't 
> ECC support it?
> 
> Is this is a case where OpenSSL implementation of ECC doesn't support it, 
> or where ECC isn't a suitable algorithim to use for envelope encryption?
> 

Key transport is where some secret data (for example an AES key) is encrypted
using a public key so that the intended recipient can recover it by decryption
with a private key.

The only algorithm that currently can do this in OpenSSL is RSA.

I think there are some ECC algorithms that can be used for key transport (El
Gamal?) but they aren't currently supported.

Key agreement, where two parties agree on the same secret key, is supported
using ECDH.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Loading a PKCS7 SignedData structure with d2i_PKCS7_fp

2005-07-07 Thread Dr. Stephen Henson 
On Thu, Jul 07, 2005, Fred Anderson wrote:

> Steve,
> 
> Thanks for the reply. I was able to verify the signature using
> "openssl smime" like you suggested, and the d2i_PKCS7_fp function is
> returning a non-null value.
> 
> I'm thinking now that the problem may be in the BIO structures I'm
> creating and passing to the verify function. Here's what I have:
> 
>   int ret;
>   FILE *fp = fopen("pt2.out","rb");
>   int fd = open("data.out",O_RDONLY);
>   BIO *In, *Out;
>   PKCS7 *p7 = NULL;
> 
> 
>   p7 = d2i_PKCS7_fp(fp,NULL);
> 
>   In = BIO_new_fd(fd,BIO_NOCLOSE);
>   Out = BIO_new(BIO_s_null());
> 
>   ret = PKCS7_verify(p7,NULL,NULL,In,Out,0);
>   printf("Call returned %d\n",ret);
> 
> 
> where 'fd' is a file descriptor to a file containing the data
> (detached) for the signature I wish to verify. As the code stands, the
> PKCS7_verify is segfaulting.
> 
> My apologies if this is basic stuff; I'm still a beginner with OpenSSL
> coding and having a hard time finding docs to explain the usage of the
> calls and how the calls all tie together.
> 

You might find it easier to use:

BIO *foo = BIO_new_file("filename", "rb");

which is a BIO version of "fopen".

Also you need to include a trusted certificate store which includes the CAs
you trust. If you include the flag PKCS7_NOVERIFY it wont try to verify the
signers certificates: that's not useful for anything other than debugging
because anyone could create a PKCS#7 structure it would then verify as OK.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl-0.9.8 will not compile on MinGW

2005-07-07 Thread Alex Yaroslavsky 
Hello, Frank!

FB> Hello, i have tryed to compile openssl but it stops with the error:
FB> gcc -o out\md2test  tmp\md2test.o out\libssl.a out\libcrypto.a -lwsock32
FB> -lgdi32
FB> out\libcrypto.a(cryptlib.o)(.text+0x2b9):cryptlib.c: undefined reference to
FB> `OPENSSL_ia32_cpuid'
Yeah, I got that error too. Here's what I did to fix this:

OPENSSL_ia32_cpuid is defined in crypto\x86cpuid.pl so I ran

perl x86cpuid.pl gaswin > x86cpuid.s
as -o x86cpuid.o x86cpuid.s

then I copied x86cpuid.o to the tmp folder (where the make file creates
all the *.o files) and added $(OBJ_D)\x86cpuid.o to the dependencies for
CRYPTOOBJ in the ms\mingw32a.mak makefile. Then I just ran the rest of
the mingw32.bat file

- system clipboard >8
perl util\mk1mf.pl gaswin Mingw32 >ms\mingw32a.mak
echo Generating DLL definition files
perl util\mkdef.pl 32 libeay >ms\libeay32.def
if errorlevel 1 goto end
perl util\mkdef.pl 32 ssleay >ms\ssleay32.def
if errorlevel 1 goto end

rem copy ms\tlhelp32.h outinc

echo Building the libraries
mingw32-make -f ms/mingw32a.mak
if errorlevel 1 goto end

echo Generating the DLLs and input libraries
dllwrap --dllname libeay32.dll --output-lib out/libeay32.a --def 
ms/libeay32.def out/libcrypto.a -lwsock32 -lgdi32
if errorlevel 1 goto end
dllwrap --dllname libssl32.dll --output-lib out/libssl32.a --def 
ms/ssleay32.def out/libssl.a out/libeay32.a
if errorlevel 1 goto end

echo Done compiling OpenSSL

:end
8< end of system clipboard --

after that, compilation went ok and all tests passed.

-- 
Bye,
Alex.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re[2]: openssl-0.9.8 will not compile on MinGW

2005-07-07 Thread Alex Yaroslavsky 
Hello, Alex!

AY> Then I just ran the rest of the mingw32.bat file

You need only this part, not all the bat file. Sorry.

AY> echo Building the libraries
AY> mingw32-make -f ms/mingw32a.mak
AY> if errorlevel 1 goto end

AY> echo Generating the DLLs and input libraries
AY> dllwrap --dllname libeay32.dll --output-lib out/libeay32.a --def 
ms/libeay32.def out/libcrypto.a -lwsock32 -lgdi32
AY> if errorlevel 1 goto end
AY> dllwrap --dllname libssl32.dll --output-lib out/libssl32.a --def 
ms/ssleay32.def out/libssl.a out/libeay32.a
AY> if errorlevel 1 goto end

AY> echo Done compiling OpenSSL

AY> :end

-- 
Bye,
Alex.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Problem with AES_cbc_encrypt

2005-07-07 Thread Bhupendra K Joshi 
Hello,
 
Can anyone help me with finding the length of encrypted and decrypted data via AES_cbc_encrypt? or else send me some test programs which have used AES_cbc_encrypt.
 
Bhupendra
		 Sell on Yahoo! Auctions  - No fees. Bid on great items.

Re: Batch mode for ENGINE_load_private_key

2005-07-07 Thread Goetz Babin-Ebell 

Bartek Palak wrote:

Hi All,

Hello Bartek,

Does anybody know how to make function ENGINE_load_private_key working 
in batch (not interactive) mode?


You can implement an own UI_METHOD doesn't ask for the pass phrase.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many


smime.p7s
Description: S/MIME Cryptographic Signature